0

I need to leave only several ports open(e.g. 80 and 443). I've read about ASGs, created json file with rules. But when I try to create ASG through terminal - it says Server error, status code: 403, error code: 10003, message: You are not authorized to perform the requested action. When I tried to found a solution - some sources said that I need to do it in web console - but I don't have such menu items. The questions are

  1. how I can manage ASGs ?
  2. do ASGs allow to fully control incoming and outgoing traffic ?
J is for Java
  • 345
  • 1
  • 4
  • 12

1 Answers1

3

With Application Security Groups (ASG) you can only manage egress traffic i.e. you can manage what outside endpoints a cloud foundry foundation can talk to.

You cannot manage ingress i.e. incoming traffic with ASGs.

For ingress traffic you will have to manage it at the external router or HAProxy (if you implemented one) level. This will be outside of the PCF foundation.

To manage orgs, quotas, users, and asgs, I would recommend using cf-mgmt tool.

I had similar need to manage ASGs for a prior client. So, I build a pipeline. The repo pcfdev-sec-groups is a concourse pipeline and will allow you to manage asgs across foundations, by changing vars.yml.

Another option to control incoming traffic is to implement Route Service. This is programmatic solution to filtering request and need lot more work. Here is an example.

K.AJ
  • 1,292
  • 11
  • 17
  • I've gone through the steps - installed glide and go, then made glide install go build but when I call cf-mgmt - it says there is no such command – J is for Java Aug 01 '17 at 18:33
  • 1
    After you install `cf-mgmt`, you have to first run `$ cf-mgmt init-config`. It will create a folder structure with all orgs, space, and other details. Once you have that, you can then run other commands. Please read the documentation thoroughly – K.AJ Aug 01 '17 at 20:04